Bug 2010921

Summary: Azure Stack Hub does not handle additionalTrustBundle
Product: OpenShift Container Platform Reporter: Patrick Dillon <padillon>
Component: InstallerAssignee: Patrick Dillon <padillon>
Installer sub component: openshift-installer QA Contact: Mike Gahagan <mgahagan>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: awestbro, mstaeble, tsze
Version: 4.10   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2012173 (view as bug list) Environment:
Last Closed: 2022-03-10 16:17:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2012173    

Description Patrick Dillon 2021-10-05 15:54:44 UTC 
Platform: Azure Stack Hub
IPI & UPI

Azure Stack Hub does not add the additionalTrustBundle to the cloud provider config or the bootstrap ignition stub, so this does not allow for installation in environments that need certificates signed by internal CAs. 

Our new environment Azure Stack environment, WWT, uses certificates signed by internal CAs so we see that installations fail there.

First, installations fail when trying to pull ignition from the storage blob. This can be handled in the UPI instructions.

Second, installations fail when operators do not have the trust bundle. 

The installer needs to place the additional trust bundle in the cloud provider config, then we need to follow up with operators to make sure they are using it. The operators we know we need to follow up with are:
CCM (cloud team and machine-api for 4.10 only)
image registry
storage
network edge for ingress controller
Comment 4 Mike Gahagan 2021-12-06 18:33:00 UTC 
Confirmed we can now handle the self-signed certificate our ASH instance uses for cluster installation. Once the bootstrap ignition is updated to include the cert the bootstrap node will then download necessary content for installation and the cluster will use it without issues.
Comment 7 errata-xmlrpc 2022-03-10 16:17:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056